We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2023-37905

Cross-site Scripting (XSS) in Source Mode of Editor in ckeditor-wordcount-plugin



Description

ckeditor-wordcount-plugin is an open source WordCount Plugin for CKEditor. It has been discovered that the `ckeditor-wordcount-plugin` plugin for CKEditor4 is susceptible to cross-site scripting when switching to the source code mode. This issue has been addressed in version 1.17.12 of the `ckeditor-wordcount-plugin` plugin and users are advised to upgrade. There are no known workarounds for this vulnerability.

Reserved 2023-07-10 | Published 2023-07-21 | Updated 2024-10-21 | Assigner GitHub_M


MEDIUM: 6.1CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Problem types

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Product status

< 1.17.12
affected

Default status
unaffected

>= 10.0.0, < 10.4.39
affected

>= 11.0.0, < 11.5.30
affected

References

github.com/...Plugin/security/advisories/GHSA-q9w4-w667-qqj4

github.com/...ommit/0f03b3e5b7c1409998a13aba3a95396e6fa349d8

github.com/...ommit/a4b154bdf35b3465320136fcb078f196b437c2f1

github.com/.../typo3/security/advisories/GHSA-m8fw-p3cr-6jqc

typo3.org/security/advisory/typo3-core-sa-2023-004

cve.org (CVE-2023-37905)

nvd.nist.gov (CVE-2023-37905)

Download JSON

Share this page
https://cve.threatint.eu/CVE/CVE-2023-37905

Support options

Helpdesk Chat, Email, Knowledgebase